Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Don't remake, release the source. (Score 1) 120

I'd be surprised to see Blizzard do either; but he did specify 'the source' rather than 'the IP'; and the two are (relatively) easily separable.

Given that, even at the time, most of the enthusiasm for Starcraft was for a combination of its play balance(having 3 actually-different sides without being horribly lopsided was pretty big news when the standard was two, often basically reskins of each other with a couple of flavor units) and overall style/art direction; I'm not sure who would be interested in just the engine; but Blizzard certainly could release it without giving up any control over the parts of the Starcraft 'IP' that are of actual value. Given the number of people who actually want to look at the code vs. the number of people who just want to play Starcraft, it would be a lot of trouble for not a lot of interest, but it needn't threaten the stuff that is actually worth something.

Comment Revoke slashdot.org's certificate ! (Score 1) 212

and very few people would check EV

That's why some browsers like Firefox checks it for you and display it right in the URL bar.
You can't miss it.

What you really need is the domain registrars to check that if sites are being registered that are similar to a company name or trademark that they have a legitimate right to use that name.

Hey, then you need to ban slashdot.org, because it's name is similar to Slash. Or to DJ Slash. Or to Fatboy Slim's song.

The problem with "check that if sites are being registered that are similar to a company name or trademark" is that it's a complex task require some thinking that it's not trivial to automate for absolutely free (and in a way that won't be trivially circumvented by attackers).
It goes beyond the point of Let's Encrypt (whose point is, as the name indicate, just to make encryption available).

Or build a chain-of-trust system where people can blacklist a bad domain by voting it down

Which isn't an easy task to do (how many - outside of /. - to use PGP on a regular basis ?) Chain-of-trust system aren't easy.

Blacklist aren't silver bullet neither : an attacker could still bank on a quick attack trying to scam as many users as possible before getting flagged.
(See all the "software to make a millionaire out of you on binary option sites !" scam that are popping every where. Site costs under a couple of hundred in stock-photos / fiverr actors / ads promotion to set up, and can manage to make a few thousands selling snake oil before getting reported and shut down).

Neither of them have anything to do with HTTPS.

Which brings us back to the point : Let's Encrypt's purpose, as it names implies, is to bring the S in HTTPS and nothing more.
It's not their job solving the certification of owner in an easy way.

Comment Business model of a free site ?! (Score 1) 212

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "blah.com" is indeed "blah.com".
(As opposed to some man-in-the-middle attacker mascarading as "blah.com" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that slashdot.org is indeed slashdot.org, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to BobsCarRepair.com is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed bobscarrepair.com
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

Nope.
There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
is
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Comment Re:Nope (Score 1) 127

2014 called -

Forget Makerbot - did you warn them about the Paris attacks? The Ankara bombings? The Metrojet bombing? Did you tell them to have Robin Williams visit a psychiatrist? Did you tell them to have Carrie Fisher visit a cardiologist? Did you have them warn Ukraine not to underestimate Russia in Donbass? Did you tell Germanwings to up their game on psych evals? Did you tell them to teach Podesta basic email security? Did you tell about Brexit? Did you warn them about Trump? Did you have anyone tell Clinton that she'll be best known for email servers and a conspiracy theory about a pizza parlor's occult child pornography dungeon? Did you warn Bowling Green about the horrific terror attack, and the cruel irony that people will forget about it?

Comment Re: Nope (Score 2) 127

Is it really that expensive? I know some people who had run a small startup automaker that raised 30-something million. They were about 3 months out from first commercial deliveries (having made a couple dozen prototypes to various degrees, ranging from empty shells to full builds), with about $10m still left in the bank - when the board decided to bring on a guy from Detroit (Paul Wilbur, the guy responsible for the Chevy SSR, and a bunch of other train-wrecks-in-car-form), who then proceeded to run the company into the ground.

Are aircraft that much more expensive than cars, that you can't even build a demonstrator for that kind of money? To be fair, the automaker's vehicle was technically classified as a motorcycle, so their regulations weren't as onerous as for most cars (but they still did full crash and crush tests anyway, voluntarily). But, I mean, they just churned out prototypes one after the next.

Comment Re:Sorry, it's time has passed (Score 3, Interesting) 177

OS/2 got interrupt handling exactly right. I could format a floppy, play Wolfenstein in a window, and have a mod tracker playing in the background on a 486/25. BeOS got close but was never quite as good.

My Linux machine today can't copy to a USB hard drive without making the rest of the system unusable.

It seems like Linux could still learn some tricks from these old OS's.

Comment Re: but you arent a traditional CA (Score 1) 212

Typosquatting has been a problem for twenty years and DV certs fo at least half that time. Why would this suddenly be Let's Encrypt's problem? $4.95 has never stopped phishing attacks before.

Any typosquatting solution is going to be entirely locale dependent - the only place to handle that is at the browser. Give Google and MoFo hell about never caring about this. For all I know the Khazak word for "hot pizza" looks like "citibank" but it's definitely not a job for Let's Encrypt to deny that pizza place a cert. If we insist they do, they will either fail to succeed or give up and go home. Cui bono?

Comment Re:Uhm... (Score 1) 499

Documents 6 bankruptcies, and 13 businesses that closed up shop - at the very least suggests he doesn't know what he's doing.

Business has something in common with war and engineering:
  1 You try a bunch of stuff that looks like it might work.
  2 Some of it works, some of it doesn't.
  3a. You stop doing (and wasting resources on) what doesn't work
  3b, and continue doing more of what does (transferring any remaining resources from the abandoned paths.)
  4. PROFIT!

In business, step 3a is called "a large business environment, major projects are done in separate subsidiary corporations. This uses the "corporate veil" as a firewall, to keep the failed attempts from reaching back and sucking up more resources from what's succeeding. Dropping a failed experiment in step 3a (when it's failed so badly that there's nothing left to salvage in a different attempt's 3b) is called "bankruptcy". It lets you stop throwing good money after bad and move on.

So bankruptcy is NOT necessarily a sign of weakness, stupidity, or lack of business acumen. On the contrary: It shows the decision-maker was smart enough to spend a bit extra to erect the firewall between the bulk of his holdings and the iffy project.

So a successful large-business-empire-operator who is also innovative will usually have a number of bankruptcies in his history. It's no big deal, anyone in business at or near that level knows it, and took it into account if they risked some of their resources in someone else's experiment that failed in the hope of profit if it succeeded.

Also: Someone starting out may have to few resources to run many experiments simultaneously. (Or even a big guy may be reduced to a little guy by too many failures - not necessarily his fault.) So he has to try serially, doing only one or a few at a time. This may mean total bankruptcy, even multiple times, before coming up with something that does work. Lots of successful businessmen went through total bankruptcy, sometimes several times, before hitting it big.

Comment Re: Uhm... (Score 1) 499

Do you believe that H1-B workers are the best talent?

I don't believe that the United States has a monopoly on talent. There are talented people all over the world, indeed the vast majority of highly-talented people are born outside of the US, because the vast majority of people are born outside the US. Whatever the immigration mechanism, it's in the United States' best interest to draw the most talented people from the whole world to work and live here.

Slashdot Top Deals

"Only a brain-damaged operating system would support task switching and not make the simple next step of supporting multitasking." -- George McFry

Working...